search

tigase / tigase-server

(M) Highly optimized, extremely modular and very flexible XMPP/Jabber server
https://tigase.net
GNU Affero General Public License v3.0
322 stars 107 forks source link

Can not enable secure websockets #73

Open real-artswan opened 3 years ago

real-artswan commented 3 years ago

I use Tigase 8.1.0 as Docker image.

I've added to the config.tdsl following:

ws2s () {
    connections () {
        ports = [ 5290, 5291 ]
        5290 () {
            socket = 'plain'
            type = 'accept'
        }
        5291 () {
            socket = 'ssl'
            type = 'accept'
        }
    }
    seeOtherHost {}
}

and uncommented TLS_DEBUG in the tigase.conf Clients successfully connect via ws:/localhost:5290 but when I try to connect a client via wss:/localhost:5291 I get in logs (extracted most significant lines I believe)

javax.net.ssl|DEBUG|02 88|pool-32-thread-1|2021-01-28 11:51:33.609 UTC|null:-1|Negotiated protocol version: TLSv1.2
javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.735 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.736 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ALL|02 86|pool-32-thread-1|2021-01-28 10:47:00.737 UTC|null:-1|default is not a private key entry
pss2-chat_1     | javax.net.ssl|ERROR|02 86|pool-32-thread-1|2021-01-28 10:47:00.739 UTC|null:-1|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
pss2-chat_1     | "throwable" : {
pss2-chat_1     |   javax.net.ssl.SSLHandshakeException: no cipher suites in common
pss2-chat_1     |       at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.SSLHandshake.produce(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
pss2-chat_1     |       at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
pss2-chat_1     |       at java.base/java.security.AccessController.doPrivileged(Native Method)
pss2-chat_1     |       at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
pss2-chat_1     |       at tigase.io.JcaTLSWrapper.doTasks(JcaTLSWrapper.java:304)
pss2-chat_1     |       at tigase.io.JcaTLSWrapper.unwrap(JcaTLSWrapper.java:261)
pss2-chat_1     |       at tigase.io.TLSIO.decodeData(TLSIO.java:345)
pss2-chat_1     |       at tigase.io.TLSIO.read(TLSIO.java:172)
pss2-chat_1     |       at tigase.net.IOService.readBytes(IOService.java:670)
pss2-chat_1     |       at tigase.server.websocket.WebSocketXMPPIOService.readData(WebSocketXMPPIOService.java:155)
pss2-chat_1     |       at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:458)
pss2-chat_1     |       at tigase.server.websocket.WebSocketXMPPIOService.processSocketData(WebSocketXMPPIOService.java:135)
pss2-chat_1     |       at tigase.net.IOService.call(IOService.java:200)
pss2-chat_1     |       at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:146)
pss2-chat_1     |       at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:51)
pss2-chat_1     |       at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
pss2-chat_1     |       at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
pss2-chat_1     |       at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
pss2-chat_1     |       at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
pss2-chat_1     |       at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
pss2-chat_1     |       at java.base/java.lang.Thread.run(Unknown Source)}
pss2-chat_1     | 
pss2-chat_1     | )

It happens no matter whether I remove default.pem allowing it to generate new one or generating self-signed byself with openssl req -x509 -newkey rsa:4096 -keyout default.key.pem -out default.pem -days 365 -nodes -subj '/CN=*.default'

openjdk 11.0.8 2020-07-14
OpenJDK Runtime Environment 18.9 (build 11.0.8+10)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.8+10, mixed mode)

So far a question is: "How to enable wss? What I'm doing wrong?" Thanks in advance.

woj-tek commented 3 years ago

1) how do you connect? From browser? (if yes, which one and in which version?) 2) have you tried with proper certificate (i.e. not self-signed)?

real-artswan commented 3 years ago
  1. I've tried to connect from the "Tigase Web Client" and from the nodejs code using stanza library both the same.
  2. I have not tried with proper certificate, to be honest I don't think it is the problem and I need to be able to run it with self-signed certificate anyway.

I switched to Tigase 8.1.1 but the issue is still here.

Here is the full communication log of connection, client is Tigase web client (browser console just says it can't establish connection to the server)

javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.585 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension (
"session_ticket (35)": {

}
)
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.591 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension (
"key_share (51)": {
  0000: 00 69 00 1D 00 20 34 45   70 C1 EC C6 6B D4 0E 24  .i... 4Ep...k..$
  0010: CA 72 37 03 63 3A 48 51   B3 9D 47 D7 62 9F 02 C8  .r7.c:HQ..G.b...
  0020: CB BB D4 85 13 52 00 17   00 41 04 05 D5 7A B1 76  .....R...A...z.v
  0030: 76 4D B5 9E 3A 13 93 4E   CA D4 0B 0F A5 50 A6 40  vM..:..N.....P.@
  0040: B9 7D FF CF 00 5A 58 41   30 94 33 90 C2 CC 99 D2  .....ZXA0.3.....
  0050: 93 23 51 DF 53 97 4A 74   69 B0 10 5B CD B7 C6 92  .#Q.S.Jti..[....
  0060: EF 5B 86 FF D7 73 81 56   61 2B D2                 .[...s.Va+.
}
)
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.592 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension (
"psk_key_exchange_modes (45)": {
  0000: 01 01                                              ..
}
)
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.593 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension (
"unknown extension (28)": {
  0000: 40 01                                              @.
}
)
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.595 UTC|SSLExtensions.java:135|Ignore unknown or unsupported extension (
"client_certificate_type (21)": {
  0000: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0010: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0020: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0030: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0040: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0050: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0060: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0070: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0080: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  0090: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
  00A0: 00 00 00 00 00 00 00 00   00 00 00                 ...........
}
)
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.604 UTC|SignatureScheme.java:295|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.604 UTC|SignatureScheme.java:295|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.617 UTC|ClientHello.java:809|Consuming ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "1A 07 7D F7 22 F9 90 0C 1A CC FF C6 C9 9A 11 F2 C4 B4 DA 34 96 09 FF C8 80 20 40 9B DC E4 AB 86",
  "session id"          : "74 7B F8 EF 11 0A 9A A6 C0 8C 8B 51 1A B4 C5 B7 7B 2F 09 3D D3 DC DB A3 23 43 83 1E FA DE 89 0F",
  "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A)]",
  "compression methods" : "00",
  "extensions"          : [
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "session_ticket (35)": {

    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "key_share (51)": {
      "client_shares": [  
        {
          "named group": x25519
          "key_exchange": {
            0000: 34 45 70 C1 EC C6 6B D4   0E 24 CA 72 37 03 63 3A  4Ep...k..$.r7.c:
            0010: 48 51 B3 9D 47 D7 62 9F   02 C8 CB BB D4 85 13 52  HQ..G.b........R
          }
        },
        {
          "named group": secp256r1
          "key_exchange": {
            0000: 04 05 D5 7A B1 76 76 4D   B5 9E 3A 13 93 4E CA D4  ...z.vvM..:..N..
            0010: 0B 0F A5 50 A6 40 B9 7D   FF CF 00 5A 58 41 30 94  ...P.@.....ZXA0.
            0020: 33 90 C2 CC 99 D2 93 23   51 DF 53 97 4A 74 69 B0  3......#Q.S.Jti.
            0030: 10 5B CD B7 C6 92 EF 5B   86 FF D7 73 81 56 61 2B  .[.....[...s.Va+
            0040: D2 
          }
        },
      ]
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "unknown extension (28)": {
      0000: 40 01                                              @.
    },
    "client_certificate_type (21)": {
      0000: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0010: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0020: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0030: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0040: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0050: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0060: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0070: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0080: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      0090: 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  ................
      00A0: 00 00 00 00 00 00 00 00   00 00 00                 ...........
    }
  ]
}
)
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.618 UTC|SSLExtensions.java:192|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.623 UTC|ClientHello.java:839|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.623 UTC|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.627 UTC|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.630 UTC|SSLExtensions.java:192|Consumed extension: status_request
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.631 UTC|SSLExtensions.java:192|Consumed extension: supported_groups
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.631 UTC|SSLExtensions.java:192|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.635 UTC|SSLExtensions.java:192|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.635 UTC|SSLExtensions.java:173|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.636 UTC|AlpnExtension.java:277|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.636 UTC|SSLExtensions.java:192|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.636 UTC|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.637 UTC|SSLExtensions.java:192|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.637 UTC|SSLExtensions.java:192|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.637 UTC|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.639 UTC|SSLSessionImpl.java:210|Session initialized:  Session(1611870784639|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.639 UTC|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.640 UTC|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.641 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.641 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.642 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.642 UTC|SSLExtensions.java:224|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.643 UTC|SSLExtensions.java:207|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.644 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01 3C|pool-32-thread-1|2021-01-28 21:53:04.644 UTC|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.645 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.645 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|01 3C|pool-32-thread-1|2021-01-28 21:53:04.646 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.649 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.655 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.655 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.656 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.656 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.656 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.657 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.657 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.657 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.658 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.659 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.659 UTC|X509Authentication.java:303|default is not a private key entry
javax.net.ssl|ERROR|01 3C|pool-32-thread-1|2021-01-28 21:53:04.661 UTC|TransportContext.java:341|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
        at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:460)
        at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:295)
        at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
        at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1102)
        at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:854)
        at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
        at tigase.io.JcaTLSWrapper.doTasks(JcaTLSWrapper.java:304)
        at tigase.io.JcaTLSWrapper.unwrap(JcaTLSWrapper.java:261)
        at tigase.io.TLSIO.decodeData(TLSIO.java:345)
        at tigase.io.TLSIO.read(TLSIO.java:172)
        at tigase.net.IOService.readBytes(IOService.java:670)
        at tigase.server.websocket.WebSocketXMPPIOService.readData(WebSocketXMPPIOService.java:155)
        at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:458)
        at tigase.server.websocket.WebSocketXMPPIOService.processSocketData(WebSocketXMPPIOService.java:135)
        at tigase.net.IOService.call(IOService.java:200)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:146)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:51)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)}

)
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.667 UTC|SSLSessionImpl.java:784|Invalidated session:  Session(1611870784533|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|ALL|01 3C|pool-32-thread-1|2021-01-28 21:53:04.667 UTC|SSLSessionImpl.java:784|Invalidated session:  Session(1611870784639|SSL_NULL_WITH_NULL_NULL)
real-artswan commented 3 years ago

By the way, when you set SSL certificate via web admin UI it checks domain name in CN, so for default certificate (which is in use for wss connections afaiu) it must be "*.default" to be accepted, don't think I can sign such a certificate.

woj-tek commented 3 years ago

By the way, when you set SSL certificate via web admin UI it checks domain name in CN, so for default certificate (which is in use for wss connections afaiu) it must be "*.default" to be accepted, don't think I can sign such a certificate.

How do you set "default"? By selecting "default" vhost? In the newest, development version there is a checkbox to mark particular domain certificate as the default as the 'default' vhost shouldn't be used for it. At any rate, as an admin you still should be able to upload the certificate. Or you can place it directly to certs/ directory.

As for the issue with WSS connectivity - as unusual as it seems, using correct certificate (not self-signed) actually fixes the issue (i checked with sure.im client in Firefox and using websocat). Most likely you would somehow add your certificate/CA to the trust store of the client and then it would allow conneciton.

real-artswan commented 3 years ago

At first, thanks for your concern. I've realized that I can put proxy, kind of nginx, in front to do ssl stuff and avoid enabling it in the Tigase. Right? Anyway the problem with self-signed certificates is odd, I'm pretty familiar with restrictions of self-signed certificates and it doesn't look like a case. FYI I was able to build and run latest release version 8.1.1 from sources and can debug it, so If you point me to the place to look at to investigate and resolve it, then I could.

woj-tek commented 3 years ago

I've realized that I can put proxy, kind of nginx, in front to do ssl stuff and avoid enabling it in the Tigase. Right?

Yes, that's correct. We are using it in similar setup at tigase.im service.

Anyway the problem with self-signed certificates is odd, I'm pretty familiar with restrictions of self-signed certificates and it doesn't look like a case. FYI I was able to build and run latest release version 8.1.1 from sources and can debug it, so If you point me to the place to look at to investigate and resolve it, then I could.

Following classes are mainly responsible for handling encryption: JcaTLSWrapper, SSLContextContainer, TLSIO